fix: match semver patch

A previous commit introduced semver.coerce() on the patch version range, when doing 'snyk protect'. The problem is that coerce() returns a SemVer type, not a string. The existing code uses semver.satisfies() to check if the given patch applies to the node_module, but since satisfies() expects a string, the patch was not applied since the check never passed. This resulted in patches being skipped, but we marked them as applied. The following fix restores the previous functionality of running satisfies() on the patch range but also keeps the existing check of using coerce() while also fixing the output of coerce() to be a string (by reading the version property of the SemVer type). This way we do a check that the patch version is a SemVer range, but we also correctly cover the case where it's not a SemVer range (which was originally the intention).
snyk · Oct 23, 2019 · 48c8062 · 48c8062
1 parent 9dad618
commit 48c8062
Showing 1 changed file with 13 additions and 2 deletions.
diff --git a/src/lib/protect/apply-patch.js b/src/lib/protect/apply-patch.js
@@ -37,8 +37,19 @@ function applyPatch(patchFileName, vuln, live, patchUrl) {
       }
 
       const versionOfPackageToPatch = pkg.version;
-      const patchableVersionsRange = semver.coerce(vuln.patches.version);
-      if (semver.satisfies(versionOfPackageToPatch, patchableVersionsRange)) {
+      const patchableVersionsRange = vuln.patches.version;
+
+      const isSemverMatch = semver.satisfies(
+        versionOfPackageToPatch,
+        patchableVersionsRange,
+      );
+
+      const isVersionMatch = semver.satisfies(
+        versionOfPackageToPatch,
+        semver.valid(semver.coerce(vuln.patches.version)),
+      );
+
+      if (isSemverMatch || isVersionMatch) {
         debug(
           'Patch version range %s matches package version %s',
           patchableVersionsRange,